Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Google is the latest, announcing recently that by Q4 of this year, HTML5 would be the default in the Chrome browser, except for content on 10 high-traffic, high-profile sites such as YouTube, Facebook, Yahoo, Amazon, Twitch and Live.com.

“We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site,” said Anthony LaForge, a technical program manager with the Google Chrome team.

“While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption,” LaForge said. “This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience.”

Members of Google’s Project Zero research outfit have been instrumental in finding and privately disclosing vulnerabilities in Flash Player. Adobe continues patch Flash Player at a monthly or better frequency, having already this year pushed out a pair of out-of-band emergency updates addressing zero-day vulnerabilities under attack.

Project Zero team member Natalie Silvanovich said during a talk at the recent Infiltrate Conference in April that she spends most of her day looking at Flash Player vulnerabilities, and shared a timeline spanning back to the start of 2015 Flash bugs she and others at Google found and reported.

Silvanovich said during her talk that despite the rancor against Flash and demands for it to be deprecated, things are better.

“I was finding one bug a day at the start,” she said. “And now it’s probably one bug a week.”

Silvanovich said that efforts by Adobe to introduce new exploit mitigations into the Flash Player code base have slowed down exploit development and made it more difficult for researchers looking for bugs. Silvanovich said that, for example, use-after-free bugs are more difficult to exploit and that other classes of vulnerabilities such as redefinition bugs may be going away. She added that information garnered from the Hacking Team data breach last summer was also important to her work.

“The Hacking Team dump was an unprecedented source of information on how Flash exploits work in the wild,” she said during her talk.

Adobe too, however, is conceding that Flash has likely run its course. Last December, Adobe said that its Animate CC development tool will primarily support HTML5 over Flash.

“Our customers have clearly communicated that they would like our creative applications to evolve to support multiple standards and we are committed to doing that,” Adobe said in announcing the move.

Adobe has committed to Flash feature development and security updates to lessen the risks around the software; it’s unlikely Flash will ever completely disappear since too many legacy applications and existing web content relies on Flash.

That means that hackers will continue to prey on Flash; the Hacking Team, for example, had at least two zero days at its disposal and government agencies and commercial outfits such as Zerodium covet Flash zero days.

I won an office bet. I told coworkers that we were headed for HTML5 standardization across fortune 100 tech companies and that there would be a major move by a big internet entity before 2017. Bam, nailed it!

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.